hello everybody my name is Tony Chandra I head up Cantrell sty Anesti branch product management and today we're also joined by stay Han su technical marketing engineer on our team and we're gonna give you a quick overview of our solution and some of the customers and the use cases that we have been focused on for contra less t1 you obviously heard the earlier today a little bit about the mist technology and this is kind of playing off that and and how this kind of integrates to our overall AI for enterprise architecture and and vision so so just in terms of the agenda I'm gonna cover about you know 30 minutes or so of solution of you give you guys a chance to sort of ask questions and and you know I like to keep it interactive so please do ask me questions and you know give you a solution of you and then stay Houston will use the bulk of the time sort of give you a view of the actual product you know live demonstration no recorded videos live so you know fingers crossed everything will work you know hopefully the hotel Wi-Fi will be will be good and then of course we can take more questions during this session as well so so that's kind of what we have planned for you so unless there's anything else we'll dive right in so the first thing I wanted to cover is the customer and use cases for the solution we've had the solution in market now for well over two and a half years we've you know garnered a number of marquee customers and we continue to garner additional customers in the in the industry the first thing I want to kind of emphasize is that the solution is built around our installed base of over a million SRX devices in the field SRX is our security branch portfolio so it does both routing and security we've had this product in the market for you know well over ten years going back to the net screen requisition if you guys are familiar so its evolved over time and today it runs you know full Juno's with full l7 security and what we've done is we really taken the portfolio to the next level by implementing st-1 functionality on these platforms as well so so from a customer perspective the first point I want to make sure that you know the folks in the room as well as who are listening in the live feed I get across is that if you're an existing Juniper SRX customer it's a very easy way for you to to potentially move over to the solution that we will be presenting later in the session today in a lot of cases the current equipment may already meet these needs the second thing is that we have garnered a lot of new Sdn customers and I'll be talking about a few of these here in the session later in the deck but anywhere from you know top-tier fortune 100 type customers to you know retail customers to to manufacturing customers to also manage service providers such as for example a water phone as well as system integrators like IBM for example the the bottom of the slide kind of shows a recent quote of a customer that we just won out of Australia they're a sort of a bread making company they do you know bakery products and they had a you know about 20-30 sites and they decide to you know go with contrail st1 solution because of the the extensibility from the branch to the cloud so so this is kind of a snapshot of the customer so let me kind of double click on one such sort of partner and in particular IBM in IBM here at the next work event today is one of our sponsors and we'll also be presenting a couple of sessions if you are actually attending the event so I would encourage you to go see that but iBM has a service called Network st-1 it's actually called network as a sd1 network as a service and they utilize the contrast eewan software within their software data center and offer a managed sty on solution using their global network peering platform called GNP P and this is a managed offering that is available to enterprises globally today so let me should have double-click a little bit and explain to you what it is that they're doing specifically with the platform if my clicker is gonna help right there we go so the first thing is within IBM they have a couple of key components the first is they have the orchestration and the management platform within software as I mentioned that's number one and this is a multi-tenant solution so a single controller / orchestration engine for SD wine can handle multiple enterprise customers from an IBM perspective the second thing is they have a set of gateways for terminating the sd1 endpoints and these are multi tenant gateways and this is one of our key differentiation if you're familiar with other Sdn solutions out in the market place you typically have to deploy a gateway / tenant and our our gateways are our multi tenant so in this particular case iBM has deployed a multi tenant gateway or a set of gateways within their GN PP infrastructure to host multiple enterprise customers the third aspect is the end points and the endpoints are the the SRX portfolio and the nfx portfolio and the differences and I'll go into that later in the session whether you want an integrated security all-in-one routing device or you want a much more of a flexible sort of x86 UCP based device and we offer both where you for example you can run KBM based hypervisor vnf on the nfx platform whereas on the SRX this integrated Juno's only with live sd1 and then they have a secure overlay management across their management networks and then they offer a set of you know vnf so they offer obviously you know juniper services but they also offer third-party bns from some other vendors so for the end customer it's a you know best of both worlds so they don't need to perhaps throw away their legacy you know or functions they can you know if the networking vendor offers a vnf for example a very common vnf that we see is when optimization and in fact we have a partnership with one of the key line optimization vendors out in the market and that is a integrated solution that you can deploy with juniper Estevan at the edge of the network and then they also provide the fifth component which is you know a complete NOC and saw capability where you know in small entered you know 24 by 7 you know there's trouble ticketing and SLA management and things of that nature so so this is kind of what IBM has done and this is a fully production service now that you know that they're deploying customers globally and some of the customers I showed in the previous slide were actually on that platform as well so the next customer I want to kind of dive into is is Rhoda phone Vodafone is you know a multinational service provider obviously known very much for their mobile presence but they also have a very strong fixed Marlon presence particularly in in Europe and other parts of Asia and in Australia New Zealand and Vodafone is a customer that we were working for a long time with through an RFP process and they selected contrail sd1 back in sort of late 2017 early 2018 and you know they decided to go with juniper in particular for the following reasons the first is that the solution that we have enables st-1 to be truly integrated with existing IP VPN services so if you're a managed service provider who sells IP VPN which is typically their bread and butter for connectivity you know as customers migrate to sd1 it's kind of an imperative that you have to have sites on you know your IP VPN and sites on st one and those sites have to communicate you know seamlessly with each other so so the solution effectively enables that so we have a full hybrid MPLS interworking solution because our sc1 gateways actually can peer natively with BGP and MPLS into the IP VPN backbone effectively into interfacing with your provider edge equipment the second you know sort of key differentiator here is that every endpoint comes with full built-in LTE or 4G connectivity on the Vodafone Network as well as a virtual firewall so virtual firewall is a key characteristic of our solution as I mentioned because it's built in built around the SRX pro folio so customers should get the Jennifer solution get the firewall day one as part of the intrinsic or Sdn solution and so this is particularly important and you'll see that over throughout the session that when you're terminating internet circuits you almost always have to have a firewall and not having a firewall in today's you know in security environment is not an option so having that virtual firewall is a key differentiator for us as well as for what phone in this case and then thirdly they've done some additional capability to do sort of bandwidth on demand and this is something they've done through customization of our API system and stay house will show some of that where we have the ability to basically create templates and allow custom UI driven menu options for the end tenant to basically perform specific functions in this case the tenant can come in and say hey I want hundred megabits or I want one gigabit at a particular time of day and the pinna the speed kind of fluctuates and changes based on that setting and that's something that we built specifically with them for that service so this is this is all in production as well you can go in and have a look at the Vodafone ready networks SD website there's a sort of a QR code there if you're interested in getting more information around the service of course we have many more customers but I want to kind of start off by giving you a flavor of some of the key customers we have that are currently deployed in production so unless there's any questions I will go into the the solution overview any questions so far okay so Cantrell sd1 is you know key in terms of the following differences firstly we have unparalleled scale we scale in excess of 10,000 endpoints per single cluster of controllers and because we are multi tenant we can you know carve that 10,000 across many many different tenants no solution that I'm aware of from any vendor out there today scales to this point that you know that have been tested and we did this test with ent see you know sort of fall of last year and the report is available on the NTC website the second key aspect here is the simplicity of the UI and you'll see that in in the demo that Sansa will do later on because if you have if you compare sort of sty and wonder vendors and I've seen a lot of those and I'm sure you have as well the UI is very clunky there's you know Brazilians of options to tweak this parameter and that parameter and what we really focused on is you know reducing the complexity simplifying the workflow and making it easy for the user just to enable their sites and get up and running the third key difference and differentiator here is the range of endpoints both physical and virtual so we have from say the the low-end SRX sort of 300 all the way to the SRX 4200 and the 4600 which are you know 10 and 40 gig capable and this is 256 AES encrypted throughput numbers okay the the straight IP throughput for I mix is much much higher so so it gives us ability to scale in very large complex environments which is you know some something that some of our some other solutions struggle to do security of course as I already mentioned is you know fully integrated into the solution it's not a afterthought if you look at for example a lot of the new security vendors that are also proposing sty and in the market is there a very basic st1 but the sd1 functionality is not integrated with security and the two doesn't work together cohesively in ten that is not the case with Jennifer's contra LSD Wan every endpoint can be fully secured with the full set of l7 security policies whether it's UTM ng fw ATP ids/ips etc so we provide what we what we call a second towel for the one and then we also extend that onto the land infrastructure behind the end point as well we provide clustering where for high availability we can run dual CPE in H a mode which is active active with multihoming options across multiple endpoints so that you for redundancy and failover you know you have always on network when it comes to s t1 and then lastly we provide choice we are able to deploy on-site for you know large customers also for certain you know federal or you know other types of government customers who sort of insist on on you know on Prem deployment or for smaller customers or customers that want to just simply consume it from the cloud we offer as contra less demand as a cloud service natively as a SAS offering starting q2 of this year as well so so these are the key kind of you know best capabilities of contrast email solution from juniper so so let's kind of you know switch gears and talk about you know why this is the case so one of the things we focus on is easy out-of-the-box experience as I mentioned so you know as I think from the previous session that Sudhir and Bob talked about around mist we focus on easy out-of-the-box you know experience end-to-end from configuration onboarding to monitoring to management right so you know you know ztp is is part and parcel of all the endpoints you can upgrade the endpoints completely you can you know I am in a group level you can set Network wide and enterprise wide security policies and get alarms and events across the overall enterprise the software is built around a cloud services architecture it is fully micro services based so whether you're a small enterprise that's looking to you know maybe deploy a hundred sites or less or very large enterprise that has you know thousands of sites or a managed service provider as I mentioned earlier the software really scales up as well as scales down we have open api's both southbound we use net cough over SSH and XML on the southbound side and BGP for control and on northbound side we are fully REST API based everything you do through the UI you can drive through the API as well and then lastly I would say we are one of the very few handful of Sdn solutions available in the market that is truly multi tenant we are multi tenant in the management plane or multi tenant in the control plane because we use a single controller to manage multiple tenants we use multiple protocol GP to do that and then we also multi tenant in the data plane where the gateways themselves can be multi tenant and we have traffic separation through multiple VRS in that in the data plane on the SCN gateways themselves so I want to ask you about that I understand the multi tenant control plane right that's uh I don't say it's a table stakes there's a lot of people doing multi doing the control plane multi tenant what do you mean by on the end point because every well I could say everyone but a lot of people are doing differentiated services based off of different overlays mm-hmm and you're saying you're the only one who's doing it and so it's a vrf right ultimately when we get down to it's a vrf and tunnels it's an ERF but what we do is a single device can and I'll talk about that later in the session can be run in a sort of a single tenant mode where the whole device is you know dedicated to that one tenant you can still have multiple VRS within that device for the same tenant or the controller can manage the same device and partition it across multiple tenants where the VRS are only visible to the individual tenants and the rightful owner of this those vrf so they're the virtual device yeah so that so they're the gateways actually owned by the service provider or the managed service provider typically who's managing multiple tenants right so like you saw the the use case IBM that I mentioned earlier so the gateways are therefore managed by IBM but the the actual tenant brf's are you know unique per individual tenants that are hosted on those devices are you doing that through like vnfs like it like how are you how are you separating them yeah we're doing secrets awesome yeah we're basically doing it through MPLS technology which is inherent in joonas through you know BGP and MPLS so every tenant basically gets a vrf context and traffic is separated at the vrf level okay I'm still looking fusing I won't harp on it I'm just gonna ask it okay you say separated the vrf level but we ahrefs are only available to these individual context how are you splitting contexts because of ERF available to the entire device and you're saying that this vrf somehow is uniquely available only to a particular tenant which means you would need to split not only the vrf so it's not just MPLS it can't just I'm having a hard time understanding what it is you're saying so maybe maybe science you can talk to it you wanna yeah maybe I can explain for example let's say there is a provider device and there are multiple branch sites which are connecting to the provider device okay so that is the common device because the provider is now sharing this device for multiple different enterprises and multiple different enterprises do not want their data to be going over the same channel so that is where the IPSec or the other tunnels they actually terminate on exclusive v ahrefs for that tenant so the system takes care of the fact the for example enterprise-e has a vrf a whereas the enterprise be it goes over VR FB and terminates on the gateway in order to reach out to the MPLS network or the Internet so think of if you familiar with l3 VPN we've implemented l3 VPN on top of a IPSec overlay right so so basically the controller goes and creates these instances across the gateways as the answer said there are unique per tenant and the only persons that have access is either the global admin or the specific owner of those VRS yeah ok ok thanks all right so so part of our broader strategy here however beyond sd1 is to move towards the AI driven enterprise and so so here what what you see is that we started sort of with you know you know secure router and hybrid 1 and SD 1 that's gonna be the focus of you know most of the conversation today but where we're really going is the SD branch and the SD campus vision where you know the sd1 technology is getting more integrated with the land piece as well as the Wi-Fi piece that you saw earlier in the session today and we're going to wrap this all around Marvis which provides that service assurance layer that the you know that you saw earlier that provides the the full AI capability for Wang LAN and Wi-Fi right so that's kind of the the broader vision but you know we're gonna focus on the SD 1 and SD branch story for this particular you know session so how does this all come together so here it's kind of a kind of a holistic slide and what you see here is you have the controller in the middle that can be either on-prem or cloud delivered you have your end devices right that could be your when routers or your switches or your access points as I mentioned earlier here are the gateways and the hubs that we just talked about and these typically sit within you know a data center or a pop in the case of a managed service provider and then we also extend into a public cloud whether it's you know Amazon or we have end points or and then we also support breakout into cloud security services that are common like Z scale or so so with the customers want you know multi cloud connectivity from their enterprise or back into their private data center or to their enterprise branch sites the solution provides full end-to-end connectivity for the end-users and of course I should have mentioned that we support this across any type of transport and we'll talk about that later but one of the our key other areas of differentiation is that we not only support Ethernet or LTE but we have a Miron of other sort of physical interface support on our CP devices as well so the components just to kind of double click on it one more time is the controller the endpoints and that can be both physical or virtual right the physical is the SRX and the nfx platforms that comes in various you know feeds and speeds and different sizes and then we also support the V SRX which is available on you know as your and Amazon Marketplace a set of gateways that basically consolidate the endpoints into an aggregation site and then you know the the other associate endpoints on the the LAN as well as in the Wi-Fi system okay so those are kind of the key components of the control sd1 solution so the other key thing I want to also kind of touch on is you know q2 we launched this as a native SAS service and and this was something that a lot of our customers have been asking for because even though as I said we had a you know robust and and and scalable system customers wanted to consume it in a much more easy fashion particularly for the smaller size of customers so so we introduced this in q2 so this is in full production you know and what we do what we provide is a native SAS service which is multi-tenant and this is actually what stay on so is gonna be demoing as specific SLA is around it where you know Jennifer actually runs the infrastructure and we give you access to the controller to allow you to manage the service we don't manage the service you manage your network we provide the capabilities for you to to do that we provide disaster recovery compliance and and horizontal scale software upgrades and things like that are fully taken care of so so you as an end customer you don't need to worry about the headache of you know deploying the software upgrading it maintaining it things like that it's all taken care of for you okay all right so so let's double click into a little bit more detail ok so that's kind of the overview of the solution and how we doing for time ok a little bit late well speed up and let me cover some of the specific use cases that there are three use cases that contrast even supports first we support a standalone next-generation firewall so if you have an SRX device that requires management we can just manage that from the cloud today without any any sd-1 whatsoever we also support e^x and and mis behind the the SRX firewall the second use case is the typical SD one and you see the overlay tunnels and the hub on the right hand side of the picture and this is one that we'll be focusing on primarily today and then the third use case we support is a standalone switch management as well and that that is possible perhaps behind a third party CPU device I do have a question for you okay obviously these are standalone firewall devices that have existed for some time have figurations they're locally managed yep this has been a challenge and maybe some other implementations that you compete against when it come - you know what do you do with that so are you running the same version of Juno's that you always have and you're you're just managing it mm-hmm and then how does that affect things like do you have a zero touch provisioning for an SRX or is there a manual process that has to happen yeah that's a great question it's a question I get asked a lot actually so so we have a if you have existing configuration as you would for brownfield we have a process where you can bring that into the system and make it part of the automation framework by creating a template so we have a tool called a config designer that allows you to template eyes your existing config and basically things that you want to automate as part of the initial activation process you can include as part of the template and these may be things that may not be there in the standard workflow within the ng fw provisioning setup right so so that's very common in fact we were dealing with a customer just last week who has out-of-band you know management interfaces can configure it for for you know disaster recovery and configuration right so they wanted in bad management but they also wanted out of bad management and so we were easily able to to set that up using using these templates so so once the templates are there the device provisioning is fully automated so you're back to your kind of previous brownfield config that you had in the in the device before you introduced the controller so there is like a switch that gets flipped when you go from independently manage to control or manage what is there it then takes a correct information correct you visibility into like can you log out of the box yes need to happen then from the controller yeah so typically I mean if it's controller manage you need to do ads and changes through the controller you know we do not recommend doing changes directly on the device you can but we do not recommend it you can get into trouble doing that but we recommend it doing through the controller but we do have direct full direct access to the CLI of course and we actually initiate that directly from the controller where you can create CLI access through SSH tunnel all right listen texture change it'll automatically put a thing in there saying you've ordered your warranty yeah and then for greenfield I'm rolling out a new SRX what is the onboarding process look like how'd it like how do I get it attached to the controller yeah so say the out of the factory if the depending on the age of the device from a certain point on the software actually comes in pre-programmed to call home a specific well known address so as long as you have an internet connection and you plug the device in and you get an IP address it'll call home it'll connect called the redirect server based on the seal number it'll basically resolve itself to the rightful owner and then within the controller and the provisioning steps will automatically kick start at that point you maintain the list of serial numbers to customers and where that controller exists that works both in the cloud and on-premise yes yes works both in the cloud and on printing the on-prem controller talks to the sort of global sort of DNS system soil that resolves the the serial number to the owner that could be a lot of fun for those Fivefinger discounts and end up on eBay yeah I mean we're seeing this everywhere like I mean that's pretty common model right yeah the market yeah but yeah you're then that service has to be online for those things to come on for the very first time that's correct that's correct that's correct it's usually one time for device activation it's not required so here's kind of a slide that shows all of the features that we have in contra el s t1 I'm not gonna cover in these in depth but touch on a couple but what you're seeing here is that we have you know whole host of best-in-class sd-1 and ST branch functionality we have full l7 security functionality as well as functionality that is specific for managed service providers like you know obviously scale as well as multi-tenancy on the gateway and the controller that we've talked about the other thing that's key is we have very robust and deep role based access controls so that if you are deploying it in a multi-tenant configuration you can create these roles and users against the house and we'll talk about these in more detail so in the interest of back to that for just a sec okay sure cuz you kind of open the box a little bit having all of your security things there and highlighted in terms of what it is that you do is that just for meaning that you support us to be able to push out profiles that way or that you as the cloud offering are going to be offering you know Best of Breed or you know professional services level or something as far as pre-done templates for that so so today for security we just provide you the mechanism to provision your policies we don't tell you what the policy should be that's really up to you to decide but you know our PS team can certainly help you and guide you if you need that you know level of guidance but that's not part of the system the system just gives you the mechanism to implement the security policies and push them across your enterprise network yeah yeah and it's actually intent based policies both for security and SD when it's technically so easy that I guess any IT admin should be able to do that very easily so easy that even stuff one can do it yeah yeah it's for James all right so let me however highlight some of the key areas in in that feature last list just in in a little bit more color and detail with the remaining time here the first is we have a very sort of sophisticated capability called dynamic mesh to SD Wan and you might have heard you know a lot of sp1 vendors out there you know talk about full mesh and hub-and-spoke etc and when we had looked at this problem we said well neither of those answers was necessarily the right solution for a given customer because you know a customer traffic profiles varies significantly from customer network to customer network so so what we did is we came up with this you know controller based architecture where the controller is able to actually learn the traffic patterns of the enterprise network it initially starts off with a hub-and-spoke model right where every spoke is connected to at least one or two hubs right but over time if specific sites are communicating between each other the controller recognizes those traffic patterns and is able to set up direct site-to-site tunnels to mimic and and shortcut the traffic direct site to site so what this means is that the overlay Network basically self adjusts to the traffic flow of the actual enterprise over time right and optimizes the overlay based on the actual traffic pattern and also when traffic is is not going across the specific set of tunnels for a specific time it can tear down the tunnels as well so so this is what we call dynamic mesh sd1 so which is we've believed a order of magnitude more efficient and then a full mesh design that you know typically you find which has all sorts of scaling and and peering issue problems right and the routing is automatically done through BGP so when the the shortcut is established that the application you know it's completely transparent to the application that's all working straight a better provider help it's all our he's trying to buy the controller and what happens when there's no access so when the controller is not reachable the current routing infrastructure continues to function because we actually can run headless mode up to 180 days without a controller because it doesn't use the last it uses the last last of all back to never mind no it uses the last node so basically if you had a set of reach ability and and our routing tables to get to the next end point if the controller goes away the the last set of known routes will remain in all the end points to ensure that traffic continues to flow uninterrupted in the data path so in the benefit natural disaster where the controller's knocked out in sight knocked out in sight to needs to come back online but the controller's not online how does it get around something like so for bringing up a new site you do need the controller back online right bringing an existing site back online so the bringing the existing site back online would Rick sites are actually talking to the enterprise hub or the provided up or both of those so those will work the management will not work okay so commune once it's already provisioned or configured when we may say provisioned it means configured essentially all the routing information resides on that device itself so the tunnels and all whatever needs to reestablish are the accessions or anything that needs to be reestablished it will automatically reestablish so it will just show that the management is down yeah and we've actually tested this because a lot of our customers have asked like what happens when the control goes away we've tested this extensively in our testbed environments and shown that traffic continues to run uninterrupted you know for over 180 days and there's a specific timer that's over 180 days that'll ensure that if that is the case so that's why I say that and I have two questions on this before huh proceed first is is this topology configurable so if I want to run a full mesh can I force it into that or if I want to run a hub-and-spoke and I move into that yeah so this is just another option yes yes you can yeah or this like what is the lag time between recognizing the traffic is going site-to-site to the time that a tunnel will stood up yeah so so the it's kind of a lazy setup and teardown it's not like instantaneous because you don't want tunnels going up and down and bouncing across your network so so typically there's a threshold at which point at certain traffic pattern has to be seen in the network for a certain period of time and usually that's configurable but it's varies from you know three to five minutes right so you know these are long live flows right that you can't you know psych one in situ is constantly talking and chattering with each other for some period of time then the tunnel will get established and traffic will get rerouted also that thing is that the flood sites themselves have a threshold wherein they can say for example have X number of tunnels established and they will actually keep those tunnels okay so only when they cross that X number is that when they they will start checking the controller we'll start checking whether there is traffic going on between the different sites if there is no traffic then it will start tearing down the yeah so you can you can set the threshold for tear down to be aggressive or or lazy as well so that's that's that's configurable Tony my question is um so kind of comparing and contrasting like the legacy way of doing things versus like the new way with like a control or SD wins sort of architecture mm-hmm the old way we would do this like on the ester X may be like with group VPN or maybe as Scott astutely points out a dmvpn on the Cisco world so I'm just kind of you know using this obviously is I mean it's just this is a problem we've already solved right you know the hub-and-spoke versus the N squared problem and this this really takes care of that but I'm wondering is there any sort of benefit of this approach using a controller based approach versus and the old way we used to do things yeah I mean the the it's the the main benefit is is obviously automation right the you don't need to go in and and and provision the Ickes keys the IPSec configuration and every time you change you know one side to update the keys on the other side all that is done for you we support PKI based certificates so the controller you know takes care of you know distributing the certificates we do certificate renewals and things like that so so it's firstly it's automation the controller is also I think you would have probably figured out is effectively acting as a virtual route reflector right so there's bgp sessions between every endpoint to the controller so it's basically handling the whole reach ability the ike setup and the IPSec and the overall topology and that whole set of automation is is what really is the primary benefit where you know days gone by you would have in fig right to do all of that yeah also there's a handset called mesh tagging that is there so say for example you have sites which are there which can actually mesh with each other but you do not want them to so you put those in different mesh tags essentially you do not want them to talk to each other directly okay so that can be very easily implemented using the controller yeah yeah so I was not going to go into that here but yes this super hurry up so as you can see the tags are there and so what the tags do is it allows you to provide affinity between links link types or similar link types through which on you know opposing sites where tunnels are established so so I think of let's say you had sites with LTE links and sites with you know Giggy links both you know each side having LT and Giggy and you want the Giggy links to mesh with each other and you want LTE links to mesh with each other you don't want the LTE links to perhaps mesh with Giggy because one one is gonna be asymmetric and not provide good throughput right so so things like that and then we support geo based meshing so you can assign what we call this enterprise hub right an enterprise hub is a concept that is dedicated to a particular customer and actually this is the next slide here so we support this concept where to my point earlier where we have a hub that's dedicated for one customer and you can assign tags across the wine links to enterprise hubs so their site one insight to connect to enterprise hub let's say on the East Coast where a site 3 & 4 connect to enterprise hub on the west coast and the hubs themselves can optionally mesh with each other as well so we have what we call a two levels of hierarchical meshing right where you can create an overlay between the sites and the hubs and the hubs themselves can connect to each other across an overlay mesh and then that is all provided and automated through the controller in fact this slide actually shows that I think the next slide here shows that so so here what we have is we have a typical kind of hub and spoke dual hold right from these regions and then you know you can have direct oops like there's not cooperating you can have direct site-to-site tunnels establish here based on the on-demand dynamic mesh capability but let's say you have these Enterprise hubs and you know customer sometimes want to connect these Enterprise hubs through public networks as well and and so you can use you know public networks for transit connectivity between the enterprise hubs as well should you not have dedicated connectivity from an underlay perspective right so we provide that level of you know - peer connectivity from a topology perspective and this is fully automated by the controller no you know operator intervention required since you would mention it as affinity just command line wise my mind was going to MPLS te are you doing the same type of thought process as that goes through so how do you say MPLS so so we are doing some basic traffic engineering on the overlay but we do we don't do reservation right you know but as in your gold can talk to gold or silver but not bronze yes we we definitely do that yeah we definitely do that you know and then the tags allow allow that to happen I'm gonna speed up because I think we're behind all right so that's okay we're about 15 minutes behind schedule all right okay so the other key point here is so we talked about topology we talked about sort of all the cool things that controller can do but really at the end of the day the IT administrator and the business really wants to make sure that the applications are performing to what they need to be within the enterprise and so so Jennifer's controversy was really focused on application based control around st-1 and we do that through basically the packet inspection of every application coming in to every endpoint on the sd1 network and as you know the SRX has that capability has had that for a long time so basically we leverage you know over 4,200 unique signatures that are able to be identified and those signatures are then mapped into specific SLA classes that are specifically defined based on the st1 profile and policy but what you see here is base you have department at a site specific applications like teams WebEx Skype link etc having a SLA that's labeled collaboration and we'll see what collaboration can actually map into we also support you know custom user-defined applications so if you have in-house applications that are not you know easy to define you can define your own applications and then use that within the sd1 policy and and make sure that that SLA is is provided for those applications so so what is the SLA real quick well how did that with the customer applications I know how exciting it is to do that on the SRX is that something we can figure in contrail and it pushes it down or do we have to it's all UI driven okay it's you you define a custom app and hopefully you will have time so it you can use that in the st1 policy it's fully automated stuff like a five tuple no it's more than a five tuple you can do regex expressions you can do protocol types you can do all sorts of funky stuff MARY POPPINS is just deep actually only gets you so far meaning if you're not decrypting trafficker yeah that's a good point so so actually only 80% yeah yeah so I think adding you know we have the same challenges as I think I would say a lot of other st-1 vendors in that regard and and so for that we also support the SCP based so if your traffic is encrypted you know you're in crypto can map the outer header to the SCP code points and you can take the policy on that way as well okay so so the sd1 policy is is basically utilizing an technology called a BOE application quality of experience and basically we you know provide or insert probes within the data path of the application stream to measure these specific parameters like to a latency ingress egress jitter packet loss etc why do we do that it it provides a level of granularity that is unparalleled because you can actually measure the actual quality of the application versus using synthetic probes a lot of other vendors in the industry too use synthetic probes to mimic what the application would actually be behaving without knowing the actual behavior or the SLA that the application is receiving whereas in this case the application traffic and the the pro traffic are basically integrated into the same flow and so whether you're queuing or dropping packets or anything like that for that particular application the probes are going to basically see that and you're gonna basically see those in the in the SLA violations that are measured so here are some of the options again I'm not gonna cover in details the house is gonna do that but this is one of our areas where we built on top of June us and the DPR engine that we've had to get to that next level of SLA measurement pour on a per app basis yeah we we do synthetic when the links are idle so if there's no traffic you got to measure the links we send synthetic pros for idle links but when there's actual data traffic we actually use the data traffic and embed the pros within the data track so they suck unless you're using a linear yeah so it's like say for example the traffic is going on say for example the MPLS link and you want to measure the Internet link or the other available links at that time so synthetic probes are actually going on on those links also epic probes actually it's synthetic but it's not like dummy synthetic for example if we have a particular SLA with some cost parameterization for say some collaboration application which is very different from let's say some normal other website which has just some different cost parameter okay so the synthetic probes would also be different so there would be two different types of synthetic clothes running for to replicate that two different cause settings absolutely we also provide very granular break out options so because we have application visibility at every point in the network we can break it out on a per application basis on each site or at the enterprise hub or we can you know break it out on on a department or you know we can break it out on a you know all traffic destined to you know specific you know destination for example so we have very flexible break out options both into the underlay as well as at the enterprise hub as well as to some cloud security applications as mentioned earlier the other benefit that we have is we talked about you know how we use VRS in the sd1 design we provide full network segmentation and to end on a pertinent basis using the same concept as well so we use that within the tenant where we can support you know 25 more more different what we call departments and the department could be representative of say guest Wi-Fi your PCI compliant traffic or your corporate internet traffic or your you know sales traffic you want to keep separated physically within the network the the department's allow you to do that and these departments basically are carried you know separated within a single shared data tunnel using MPLS tags so that you know that the data traffic does not actually mix between the departments and if you want to actually connect the departments you have to have an explicit policy at the hub to allow reach ability between departments otherwise the departments are completely separated out at every endpoint now 25 little vague point that number could be 26 or 10,000 what's your station on it's just a it's a it's a tested number it could be higher we've done 225 you don't have a theory you don't have a theoretical limit but we could go much higher so there it can go much yes all right so different models you will see that they can have different number of vrf actually those are very high yeah I've been I mean this is pertinent so so within the within the within the hub you could have you know hundreds if not thousands so if you out on an SRX device where that number goes down rapidly between five tenets versus one time the number inside would be different right right yes that's correct we also support a user based firewalling so this is by connecting our firewalling capability to sync things like Active Directory or an LDAP server we can not only just report on IP addresses but actual users within the reports within the the sd1 system so so this is a pretty nifty capability for an enterprise where you want to segregate different types of users based on their organization or their you know work type for example like sales finance etc and you can apply different policies to those users and as well as you know potentially break those out types of traffic in various forms within the overlay and underlay environment see that's the stuff I'm excited about Marvis see me into finance is allowed to watch YouTube and sales is not exactly let me drop that YouTube traffic yeah exactly [Laughter] we also support full unified threat management so this is a key capability because as I mentioned earlier in a lot of cases when you're breaking out into the underlay on the internet side you need some kind of threat management capability and we provide that you know integrated into the device without this a lot of customers end up having to put a third firewall or third-party firewall behind or in front of the st1 device and the networking part of it at every branch becomes quite complex very quickly whereas you know in our case the policies and the data path is truly integrated so you can just break out and apply the policy right there within the st1 device into the underlay in there and so let me wear my skeptic here for a minute sorry I knew where my skeptic hat okay sure because this slide reminds me a whole lot of when the Astro axis first came out mm-hmm and all the cool things that we can do mm-hmm just not all at once and now you want to tell me that we have all these cool things that we can do mm-hmm and we can do SD wham and talk to somebody else and encrypt stuff that's the hey yeah how many all at once I mean I think you know the your list alright and of yours I forgot about that one I mean as I started the we know fair point right at the start of the session we have a very wide portfolio devices with different performance characteristics right so my brother clearly if you enable all features I'm sorry I said so my branch officers need to have that sorry 56 hundreds no you don't but we've done baselining to your point and you know you know reasonable degree with certain features on now if certainly as you turn on more features there will be some impact and that depends on the level of performance that you're trying to get but we clearly have a portfolio that for all the different bandwidth types so we can give you recommendations on on when you're doing SDI and with some of these additional features what is the right platform for you to you know pick give it a particular branch size or capacity with different testings that you've done has it gotten down to a not necessarily package per second but but throughput yeah yeah with we have we have numbers where we can you know guide customers are for I miss traffic's with SD wine with ng FW with full UTM ids/ips things like that yeah absolutely yeah because it obviously becomes important in the app sizing yep okay so so the other piece here is that the multi-cloud aspect so we also extend through this cloud spoke option into AWS today where you can specify Region V PC ID prefix etc and we automate a CloudFormation template that you can run within AWS and that automatically enables the endpoint within your V PC to connect into your enterprise or provider hub and become part of that overlay network so this seamlessly now you can extend that your sty networking - into public cloud as well so so that's that's the key capability that's there today sorry yep sure so you just keep going with the cool thing this one let's just do for me that's okay one is there any plans on doing a sure yeah we actually support a shirt today it's just that they need some additional automation capabilities which is coming in the roadmap V SRX on Azure is fully supported today so second one down that path is are you doing it are you working with any of the FedRAMP providers of the FedRAMP yeah so we are working with sub partners to get the software into gov cloud okay which is FedRAMP certified yeah we actually have ongoing project for okay okay so the I think a couple of key last slides and I'll hand over to Stan so hopefully soon so basically we have very extensive multi-tenancy where we go through you know not just the tenant level but we have a concept called operating company which allows separation of tenants and then these map each tenants map into departments which map into VRS as I mentioned so so we actually have three levels of Management multi-tenancy and then we have you know two levels of data playing multi-tenancy in the hub as well and this is all enabled on the existing portfolio right and you know the existing SRX devices and nfx devices that are you know part of our vantage so you know you can see all the the numbers there I think from you know the low end on this rx 300 to the 4000 series the nfx 150 the 250 series and then it's also supported with our dual sim LTE module which is supported on the SRX as well as on the nfx and then of course the V SRX piece for public cloud extinction okay so so the key point in this is that you know whatever is the size or the type of deployment or the environment contra LSD one solution can actually extend into that environment to provide the needs for your broader enterprise and business the other key piece here is myth Mist right we worked very closely with mists team to have backend integration so we provide single sign-on to the mists cloud today within the the contrasting wine solution so when mr. access point is plugged in it is automagically Discovery's garage mice using lldp right and then it becomes visible to the controller and once it's visible to the controller you're able to basically the clicker is not working ok here we go you can click in and basically we do context context-sensitive cross launch into the mist portal for that access point right so that particular access point you click on it and you go directly to that access point in the mist cloud portal and so that's available today as well to provide much tighter integration with mist and then we're obviously working closely to to extend that functionality much much more in future in fact what we are going towards as at the start of my session is to to basically extend the Marvis capability as you heard from Sudhir and Bob earlier you know both across the not on the Wi-Fi but on the land as well as one right the Sdn controller gets a lot of telemetry on on apps and and and end-users and IP address information and how they're performing and we can very easily provide that information to Marvis and that is where where we're looking to go that provides that single sort of pipeline and sort of you know federated management view between Cantrell st1 and the mist cloud as well Athar is just not there - do you bring switches in as well because we're talking us the SD branch which is new for the Nestea when there's just an assumption there that means that it's extending into more of the wired and wireless access from a controller based yeah yeah direction you're heading or is that so so we do support some some basic switch management today as well for but as you saw I think the the switch piece is being led by the misty right and and control s t1 is integrating the Sdn solution to the mr. solution I think the like the holy grail here is the idea of being able to extend you know via routes and tenants and and those things into the switching infrastructure as well to branch the idea is that for a wired client to be able to connect the same way okay now it's great that we have all this segmentation but it happened to it at the edge of the prayer you talking about whereabouts you tell me more about a like a campus environment yeah yeah yeah you know we're looking at that that supported on the ex-46 50 and higher switches it's not supported on the lower end switches so we we are looking at that okay